Tech Friday with Dave Hatter - May 29th 2020 - SPONSORED BY INTRUST IT


  • A lost or stolen phone can be a nightmare:
    • Our devices are now chock full of sensitive personal and in some cases, business information
    • Having a plan for a lost devices can save you a lot of time and heartache, and preparing your devices before they are stolen is the best way to avert disaster
    • Configure and know how to use the "Find My” device feature. This will allow you to locate and/or remotely erase (wipe) devices
    • Ensure that your device is locked with a password, fingerprint, etc.
    • Use strong, unique passwords on all accounts. Use a secure password manager to automate and manage passwords
    • Enable Multi-factor authentication (MFA) on all your accounts
    • Ensure that you have a good backup of your device
    • Limit the sensitive information stored on your device
    • Use your vendor's features to lock the phone and if you are certain it's stolen, wipe it
    • Act quickly if a device is lost. If the device is turned off or the battery is removed, you’ll be unable to wipe it
    • Android:https://myaccount.google.com/find-your-phone?pli=1
    • iOS:https://www.apple.com/icloud/find-my/
  • A large percentage of apps contain open source bugs and/or are not updated:
    • Most developers don't write every line of code in an application from scratch, they rely on libraries of code to save time and speed up the development process
    • In many cases, they rely on open source libraries of code that anyone can freely use
    • Code libraries, like all software, has bugs
    • "Prominent in almost every application today, open-source libraries allow developers to move faster by quickly adding basic functionality," according to Veracode.
    • "In fact, it would be nearly impossible to innovate with software without these libraries. However, lack of awareness about where and how open source libraries are being used and their risk factors is a problematic practice." - Vereacode
    • Veracode’s annual State of Software Security report found that as many as 70% of applications in use today have at least one security flaw resulting from an open-source library that is used
    • Veracode reviewed 351,000 external libraries in 85,000 applications
    • Unfortunately, these libraries may be used in hundreds or thousands of other apps, so a single bug can have far reaching effects
    • Veracode's research indicated that most flawed libraries end up in code indirectly. Developers might use one library that relies on another library without their knowledge
    • Vercode said "Forty-seven percent of the flawed libraries in applications are transitive – in other words, they are not pulled in directly by developers, but are being pulled in by the first library (42 percent are pulled in directly, 12 percent are both). This means that developers are introducing much more code, and often flawed code, than they might be anticipating."
    • "Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update; major library upgrades are not usually required" said Veracode
    • In some cases, there is the additional issue that the work on an open source library stops so there are no updates
    • This is more an issue of understanding and tracking libraries used rather than we-writing a huge amount of code, but updating a library can break things
    • You can limit your exposure to this issue by limiting the number of apps you install and by removing old apps you don't need
  • 100 million Android user have installed a dubious Chinese app:
    • VPNpro released a new report about a Chinese "spyware" app with more than 100 million installs
    • The app is VivaVideo, described by VPNPro as "one of the biggest free video editing apps for Android, with at least 100 million installs on Play Store."
    • VivaVideo is one of 40 Chinese apps listed by the Indian government as "either spyware or ‘malicious-ware’" in 2017
    • The developer behind the app, Hangzhou-based QuVideo Inc, has other questionable apps with at least 50 million installs
    • According to VPNpro these apps request "dangerous" permissions. Worse, at least one of them is hiding a malicious remote access trojan (RAT)
    • It also appears that the Chinese developer masked the origin of the app using local subsidiaries for the Google Play Store
    • Google has pulled networks of apps that abuse permissions once discovered
    • VPNPro reported that the app is allowed "to send your location data up to 14,000 times per day, even when you’re not using their apps."
    • VidStatus (50 million installs) "asks for a whopping 9 dangerous permissions, including GPS, the ability to read phone state, read contacts, and even go through a user’s call log." Microsoft identified it as malware, hiding the AndroRat trojan
    • "When we checked VidStatus on VirusTotal, it came back positive,” VPNpro warns. “These kinds of trojans can steal people’s bank, cryptocurrency or PayPal funds."
    • According to VPNpro, QuVideo has three apps on Play Store, although it appears to be networked to others as well. It also has apps on the iOS App Store
    • Thankfully, iOS permissions are different and not as open to the same issues
    • Other apps connected to this developer include:
      • VivaVideo PRO Video Editor HD
      • VivaCut: Pro Video Editor 
      • SlidePlus: Photo Slideshow Maker
      • Tempo: Music Video Editor with Effects
    • Carefully vet any app before you download it, especially if it's from China
    • Pay attention to the permissions you grant these apps and if an app asks for permissions that don't make sense, don't install it
    • Limit your exposure by limiting the number of apps you install and by removing old apps you don't need

55KRC · THE Talk Station in Cincinnati

Listen Now on iHeartRadio